web: Fix duplicate Turnstile widgets after extended idle by GirlBossRush · Pull Request #21380 · goauthentik/authentik

GirlBossRush · 2026-04-03T22:41:30Z

Details

Turnstile's client-side script includes a self-upgrade mechanism that periodically replaces its own <script> tag with a fresh version. When the upgraded script loads, it restores its internal widget state and then re-scans the DOM for .cf-turnstile elements to implicitly render — even though those containers already have an active widget. This results in duplicate widgets accumulating over time.

This PR changes our Turnstile controller from implicit rendering (via the cf-turnstile class and data-* attributes), to explicit rendering (?render=explicit on the script URL + a manual turnstile.render() call). With explicit mode, the self-upgrade cycle no longer triggers a DOM scan, so existing widgets aren't duplicated.

Closes #18156

netlify · 2026-04-03T22:42:52Z

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	`f30353e`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69d51774a3000a0008cfe468
😎 Deploy Preview	https://deploy-preview-21380--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

netlify · 2026-04-03T22:43:22Z

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	`f30353e`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69d5177447e79f0007290460
😎 Deploy Preview	https://deploy-preview-21380--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

codecov · 2026-04-03T22:50:55Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.62%. Comparing base (a5aac6e) to head (f30353e).
⚠️ Report is 27 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #21380      +/-   ##
==========================================
+ Coverage   92.59%   92.62%   +0.02%     
==========================================
  Files        1023     1023              
  Lines       58904    58904              
  Branches     1791     1791              
==========================================
+ Hits        54545    54561      +16     
+ Misses       4310     4294      -16     
  Partials       49       49

Flag	Coverage Δ
conformance	`36.98% <ø> (-0.01%)`	⬇️
e2e	`42.93% <ø> (+0.23%)`	⬆️
integration	`33.92% <ø> (-0.01%)`	⬇️
rust	`59.24% <ø> (ø)`
unit	`91.89% <ø> (+<0.01%)`	⬆️
unit-migrate	`91.96% <ø> (+12.76%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

github-actions · 2026-04-03T23:27:06Z

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-f30353ea53ed1b68323161e9087fc0af4224508a
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-f30353ea53ed1b68323161e9087fc0af4224508a

Afterwards, run the upgrade commands from the latest release notes.

netlify · 2026-04-06T11:21:01Z

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	`f30353e`
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/69d5177402088900080a0c9d
😎 Deploy Preview	https://deploy-preview-21380--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

This cherry-pick has conflicts that need manual resolution. Original PR: #21380 Original commit: 59ac8ba

authentik-automation · 2026-04-08T12:42:00Z

⚠️ Cherry-pick to version-2025.12 has conflicts: #21472

* Flesh out turnstile fixes. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>

authentik-automation · 2026-04-08T12:42:11Z

🍒 Cherry-pick to version-2026.2 created: #21473

…#21380 to version-2026.2) (#21473) web: Fix duplicate Turnstile widgets after extended idle (#21380) * Flesh out turnstile fixes. * format --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>

…k#21380) * Flesh out turnstile fixes. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io>

* Flesh out turnstile fixes. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> (cherry picked from commit 59ac8ba)

Picks up the non-PR-#21380 changes to captcha files that are already on main: `.style-scope` selector variants in CaptchaStage.css (from #20134) and `export default CaptchaStage` (from #20397). Both are functionally inert on this branch — no code applies the style-scope class to ak-stage-captcha, and no importer uses the default export — but including them keeps the cherry-pick zero-drift against main.

* Flesh out turnstile fixes. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> (cherry picked from commit 59ac8ba)

Picks up the non-PR-#21380 changes to captcha files that are already on main: `.style-scope` selector variants in CaptchaStage.css (from #20134) and `export default CaptchaStage` (from #20397). Both are functionally inert on this branch — no code applies the style-scope class to ak-stage-captcha, and no importer uses the default export — but including them keeps the cherry-pick zero-drift against main.

* Flesh out turnstile fixes. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> (cherry picked from commit 59ac8ba)

Picks up the non-PR-#21380 changes to captcha files that are already on main: `.style-scope` selector variants in CaptchaStage.css (from #20134) and `export default CaptchaStage` (from #20397). Both are functionally inert on this branch — no code applies the style-scope class to ak-stage-captcha, and no importer uses the default export — but including them keeps the cherry-pick zero-drift against main.

* Flesh out turnstile fixes. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> (cherry picked from commit 59ac8ba)

Picks up the non-PR-#21380 changes to captcha files that are already on main: `.style-scope` selector variants in CaptchaStage.css (from #20134) and `export default CaptchaStage` (from #20397). Both are functionally inert on this branch — no code applies the style-scope class to ak-stage-captcha, and no importer uses the default export — but including them keeps the cherry-pick zero-drift against main.

…#21380 to version-2025.12) (#21472) * web: Captcha Refinements, Part 2 (#19757) * Move inline styles into separate file. * Fix preferred order of captcha vendor discovery. * Clean up mutation and resize observer lifecycle. * Flesh out controllers. * Tidy refresh. * Fix incompatibilities with Storybook. * Flesh out captcha stories. * Bump package. * Flesh out stories. * Move inline styles into separate file. * Fix preferred order of captcha vendor discovery. * Clean up mutation and resize observer lifecycle. * Flesh out controllers. * Tidy refresh. * Remove unused. * Bump package. (cherry picked from commit 388f426) * web: Fix duplicate Turnstile widgets after extended idle (#21380) * Flesh out turnstile fixes. * format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens Langhammer <jens@goauthentik.io> (cherry picked from commit 59ac8ba) * web: align captcha stage with post-21380 main drift Picks up the non-PR-#21380 changes to captcha files that are already on main: `.style-scope` selector variants in CaptchaStage.css (from #20134) and `export default CaptchaStage` (from #20397). Both are functionally inert on this branch — no code applies the style-scope class to ak-stage-captcha, and no importer uses the default export — but including them keeps the cherry-pick zero-drift against main. * bump. * Enforce strict tsconfig version. Format. * Fix linter warning. --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens@goauthentik.io>

GirlBossRush requested a review from a team as a code owner April 3, 2026 22:41

GirlBossRush force-pushed the captcha-refinements-part-3 branch from b5d4ee2 to d129376 Compare April 3, 2026 22:55

GirlBossRush changed the title ~~web: Captcha Refinements, Part 3~~ web: Fix duplicate Turnstile widgets after extended idle Apr 3, 2026

GirlBossRush added backport/version-2025.12 Add this label to PRs to backport changes to version-2025.12 backport/version-2026.2 Add this label to PRs to backport changes to version-2026.2 labels Apr 3, 2026

GirlBossRush assigned BeryJu and GirlBossRush Apr 3, 2026

GirlBossRush requested a review from BeryJu April 3, 2026 23:00

GirlBossRush added this to authentik Core Apr 3, 2026

github-project-automation Bot moved this to Todo in authentik Core Apr 3, 2026

GirlBossRush added the area:frontend Features or issues related to the browser, TypeScript, Node.js, etc label Apr 3, 2026

BeryJu approved these changes Apr 5, 2026

View reviewed changes

github-project-automation Bot moved this from Todo to In Progress in authentik Core Apr 5, 2026

GirlBossRush and others added 2 commits April 7, 2026 16:40

Flesh out turnstile fixes.

7211f42

format

f30353e

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

GirlBossRush force-pushed the captcha-refinements-part-3 branch from 91aa182 to f30353e Compare April 7, 2026 14:40

GirlBossRush merged commit 59ac8ba into main Apr 8, 2026
158 of 163 checks passed

GirlBossRush deleted the captcha-refinements-part-3 branch April 8, 2026 12:41

github-project-automation Bot moved this from In Progress to Done in authentik Core Apr 8, 2026

authentik-automation Bot pushed a commit that referenced this pull request Apr 8, 2026

Cherry-pick #21380 to version-2025.12 (with conflicts)

4b664b5

This cherry-pick has conflicts that need manual resolution. Original PR: #21380 Original commit: 59ac8ba

authentik-automation Bot mentioned this pull request Apr 8, 2026

web: Fix duplicate Turnstile widgets after extended idle (cherry-pick #21380 to version-2025.12) #21472

Merged

4 tasks

authentik-automation Bot mentioned this pull request Apr 8, 2026

web: Fix duplicate Turnstile widgets after extended idle (cherry-pick #21380 to version-2026.2) #21473

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

web: Fix duplicate Turnstile widgets after extended idle#21380

web: Fix duplicate Turnstile widgets after extended idle#21380
GirlBossRush merged 2 commits intomainfrom
captcha-refinements-part-3

GirlBossRush commented Apr 3, 2026 •

edited

Loading

Uh oh!

netlify Bot commented Apr 3, 2026 •

edited

Loading

Uh oh!

netlify Bot commented Apr 3, 2026 •

edited

Loading

Uh oh!

codecov Bot commented Apr 3, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 3, 2026 •

edited

Loading

Uh oh!

netlify Bot commented Apr 6, 2026 •

edited

Loading

Uh oh!

Uh oh!

authentik-automation Bot commented Apr 8, 2026

Uh oh!

authentik-automation Bot commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

GirlBossRush commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Details

Uh oh!

netlify Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for authentik-storybook ready!

Uh oh!

netlify Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for authentik-docs ready!

Uh oh!

codecov Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

github-actions Bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

netlify Bot commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for authentik-integrations ready!

Uh oh!

Uh oh!

authentik-automation Bot commented Apr 8, 2026

Uh oh!

authentik-automation Bot commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

GirlBossRush commented Apr 3, 2026 •

edited

Loading

netlify Bot commented Apr 3, 2026 •

edited

Loading

netlify Bot commented Apr 3, 2026 •

edited

Loading

codecov Bot commented Apr 3, 2026 •

edited

Loading

github-actions Bot commented Apr 3, 2026 •

edited

Loading

netlify Bot commented Apr 6, 2026 •

edited

Loading